Managing localhost

Tony Finch dot at
Fri Jun 25 21:02:11 UTC 2021

Grant Taylor via bind-users <bind-users at> wrote:
> On 6/21/21 11:00 AM, Tony Finch wrote:
> > That advice is out of date: nowadays you should not put any localhost
> > entries in the DNS, because it can cause problems for web browser security.
> > Modern software should suppress queries for localhost so they never reach
> > the DNS.
> If I'm understanding the problem correctly, it seems to come down to anything
> involving localhost /except/ fully qualified localhost.(implicit null).


As I mentioned in the blog post (link repeated below), I did some data
collection to verify that dropping the localhost subdomains would be safe:
answer, yes, there were basically no localhost queries.

I used to have a bunch of zones related to special-use domain names and IP
addresses, but after BIND 9.12 added support for DNSSEC-based NXDOMAIN
synthesis, I deleted them all. This means that (strictly speaking) my
servers don't conform to RFC 6761's requirements for localhost, but (a) I
can say that it is BIND's bug rather than mine, and (b) it doesn't matter
anyway because the query traffic is negligible.

> >
> >

f.anthony.n.finch  <dot at>
Faeroes: Variable 2 to 4, becoming southwest 5 to 7. Slight or
moderate, becoming moderate or rough. Occasional rain later. Good,
occasionally moderate later.

More information about the bind-users mailing list